Almost half of NSW councils lack cyber security plan

Only 53 per cent of councils across New South Wales had a formal cybersecurity strategy or plan in place in 2022, according to findings from a just-released Auditor-General Report on Local Government 2022.

Cybersecurity findings were reported in 63 councils last year, two fewer than the previous year, with all 63 councils found to be lacking many basic governance and internal controls required to effectively manage their cyber defences.

These included deficits in cybersecurity frameworks, policies and procedures, as well as the lack of a sufficient register of cyber incidents, of simulated cyber-attack testing, and of cybersecurity training and awareness programs.

In response to the findings, which found that 69 councils lacked a formal cybersecurity plan, the audit has recommended that all councils must prioritise the creation of such a plan. The plan is advised to be based on the OLG’s (Office of the Local Government’s) Cyber Security Guideline for NSW Local Government, and is designed to ensure that cybersecurity risks over key data and IT assets were appropriately managed and key data is safeguarded.

“The risks associated with poor cybersecurity maturity are compounded by information technology control weaknesses and poor information systems security hygiene,” the report said.

Although the report found that the overall number of adverse IT findings went down from 296 to 236, the number of high-risk findings identified, described as “repeat and ongoing”, was up from six last year to a total of nine in this year’s report.

This, the AG noted, was due to a number of unresolved issues, declared in the previous year’s audit to be of ‘moderate risk’, being reassessed as ‘high risk’.

As far as common IT findings were concerned, 43 councils (2020–21: 59 councils) did not formalise and/or regularly review their key IT policies and procedures.

“It is important for key IT policies to be formalised and regularly reviewed to ensure emerging risks are considered and policies are reflective of changes to the IT environment,” the AG wrote.

“Lack of formal IT policies and procedures may result in inconsistent and inappropriate practices and an increased likelihood of inappropriate access to key systems.”

On top of that, a lack of a review of periodic user access was found at 28 councils, while insufficient control over privileged users was detected at 46 councils.

The following common access management findings were identified:

• 28 councils (2020–21: 42 councils) did not perform a periodic user access review to ensure users’ access to key IT systems was appropriate and commensurate with their roles and responsibilities.

• 46 councils (2020–21: 73 councils) had gaps in privileged users’ management process. This included gaps in the restriction of privileged users’ access or monitoring of the privileged users’ activity logs